Add on.steps and on.permissions support for pre-activation job step injection

[Copilot]

Adds new on.steps and on.permissions front matter fields that inject custom steps and permissions into the pre-activation job, enabling inline gate checks that can conditionally suppress activation — saving one workflow job compared to using a separate pre-computation job.

Behavior

• on.steps creates a pre-activation job if one doesn't already exist
• Steps are appended after all built-in checks (membership, stop-time, skip-if, etc.)
• Each step with an id gets an auto-wired output <id>_result: ${{ steps.<id>.outcome }} (values: success/failure/cancelled/skipped)
• Explicit outputs defined in jobs.pre-activation.outputs take precedence over auto-wired on.steps outputs on key collision
• When on.steps is the only reason for pre-activation, activated outputs 'true' unconditionally — the user controls agent execution via their own if: condition
• on.permissions merges additional permission scopes into the pre-activation job (e.g., issues: read for GitHub API calls in on.steps)
• The steps: and permissions: keys are commented out in the compiled on: trigger section (like other gh-aw-specific fields)
• if: needs.pre_activation.outputs.* conditions in the front matter are correctly deferred to downstream jobs and not incorrectly applied to the pre_activation job itself

Usage

on:
  issues:
    types: [opened]
  permissions:
    issues: read
  steps:
    - name: Gate check
      id: gate
      uses: actions/github-script@v8
      with:
        script: |
          const issues = await github.rest.issues.listForRepo(context.repo);
          core.setOutput('has_work', issues.data.length > 0 ? 'true' : 'false');

if: needs.pre_activation.outputs.gate_result == 'success'

To expose arbitrary step output values alongside the auto-wired outcome, use jobs.pre-activation.outputs:

jobs:
  pre-activation:
    outputs:
      has_work: ${{ steps.gate.outputs.has_work }}

Changes

• compiler_types.go: Added OnSteps []map[string]any and OnPermissions *Permissions to WorkflowData
• compiler_pre_activation_job.go: Appends on.steps to pre-activation steps; auto-wires <id>_result outputs using steps.<id>.outcome; wires auto outputs before merging custom outputs so explicit user config wins; merges on.permissions into pre-activation job permissions; adds extractOnSteps, extractOnPermissions, and referencesPreActivationOutputs functions
• compiler_jobs.go: Adds hasOnSteps as a condition to trigger pre-activation job creation
• compiler_orchestrator_workflow.go: Populates OnSteps and OnPermissions during processOnSectionAndFilters
• frontmatter_extraction_yaml.go: Comments out on.steps and on.permissions in the compiled on: section; guards event-section entering checks when inside on.permissions or on.steps to prevent false matches on nested keys (e.g., issues: read inside on.permissions)
• main_workflow_schema.json: Adds steps and permissions properties to the on: object schema
• issue-monster.md: Converted search_issues custom job to on.steps, saving one workflow job
• on_steps_test.go: Integration and unit tests covering all new behaviors including on.permissions and referencesPreActivationOutputs
• guides/deterministic-agentic-patterns.md: Updated "Custom Trigger Filtering" section — on.steps: is now the primary recommended approach (saves 1 job); multi-job pattern documented as "For Complex Cases"; added on.permissions: usage example
• reference/triggers.md: Added ### Pre-Activation Steps (on.steps:) and ### Pre-Activation Permissions (on.permissions:) sections with full documentation and examples
• reference/frontmatter.md: Added steps: and permissions: to the on: field summary list

Original prompt

Add support for front matter field "on.steps" that injects steps in the pre-activation job and allows to inline extra checks to conditional cancel activation.

on:
steps:
- run: check ...
id: gate

if: needs.pre_activation.outputs.gate.result ...

• if used, create pre-activation
• append in pre_action job after other checks
• outputs wire to the job output

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Adds support for a new on.steps front matter field that injects user-defined steps into the pre-activation job and exposes their step-status via pre-activation job outputs.

Changes:

• Extend workflow data model and orchestrator parsing to capture on.steps.
• Ensure pre-activation job is created when on.steps is present, append injected steps after built-in checks, and auto-wire outputs.
• Update YAML frontmatter extraction and JSON schema to allow/comment out on.steps, and add tests for the new behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/workflow/on_steps_test.go	Adds unit/integration-style tests validating injection, ordering, and output wiring for on.steps.
pkg/workflow/frontmatter_extraction_yaml.go	Comments out on.steps (and its contents) in the compiled on: YAML block like other gh-aw-specific fields.
pkg/workflow/compiler_types.go	Adds WorkflowData.OnSteps to carry parsed injected steps.
pkg/workflow/compiler_pre_activation_job.go	Appends on.steps into pre-activation steps, wires per-step outputs, and handles the “on.steps-only” pre-activation case; adds extractOnSteps.
pkg/workflow/compiler_orchestrator_workflow.go	Extracts on.steps during processOnSectionAndFilters into WorkflowData.
pkg/workflow/compiler_jobs.go	Ensures pre-activation job is created when on.steps is present.
pkg/parser/schemas/main_workflow_schema.json	Extends schema to allow on.steps and documents how to reference the wired outputs.

Comments suppressed due to low confidence (1)

pkg/workflow/compiler_pre_activation_job.go:356

• Job outputs are wired to ${{ steps.<id>.result }}, but GitHub Actions step contexts expose outcome/conclusion (and outputs.*), not a result field. This will produce an empty/invalid output at runtime. Consider wiring to ${{ steps.<id>.outcome }} (or conclusion, depending on the desired semantics) and update docs/tests accordingly.

		for _, id := range onStepIDs {
			outputKey := id + "_result"
			outputs[outputKey] = fmt.Sprintf("${{ steps.%s.result }}", id)
		}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[pelikhan]

@copilot review agentic workflows that use a separate job to conditionally if the activation job (top level if) and determine if the job can be converted in steps to save 1 job

[Copilot]

@copilot review agentic workflows that use a separate job to conditionally if the activation job (top level if) and determine if the job can be converted in steps to save 1 job

Reviewed the 5 workflows that use a separate pre-computation job gated by if: needs.<job>.outputs.*. Here's the analysis:

✅ Convertible to on.steps:

• bot-detection.md (precompute job): Uses a single actions/github-script step that makes GitHub API calls. Can be moved to on.steps. The if: needs.precompute.outputs.action != 'none' check would need the step to fail/exit-non-zero when action == 'none' (so precompute_result == 'success' as the condition), or explicitly re-expose the output via jobs.pre-activation.outputs.

• issue-monster.md (search_issues job): Uses a single actions/github-script step for issue search. The step could move to on.steps, with has_issues and other outputs re-exposed via jobs.pre-activation.outputs.

❌ Not suitable for on.steps:

• go-pattern-detector.md (ast_grep job): Requires actions/checkout + cargo install ast-grep --locked (slow, heavyweight). Not suitable for injection into the pre-activation job.

• hourly-ci-cleaner.md (check_ci_status job): Requires actions/checkout + gh CLI calls. Heavyweight setup not suited for pre-activation.

• ace-editor.md (post_ace_link job): This is a post-activation job (depends on activation, not pre_activation). Out of scope for on.steps.

Key limitation: on.steps auto-wires only <id>_result: ${{ steps.<id>.outcome }} (success/failure). Workflows that need to expose multiple $GITHUB_OUTPUT values can still use jobs.pre-activation.outputs alongside on.steps to re-expose those values.

Also fixed two bugs in commit 2131774:

1. Used steps.<id>.result (invalid) → now correctly uses steps.<id>.outcome
2. Custom jobs.pre-activation.outputs now take precedence over auto-wired on.steps outputs (applied last, so they win on key collision)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build1787817127/b048/vet.cfg 7817127/b333/vet.cfg (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --local user.email ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /opt/hostedtoolcache/node/24.14.0/x64/bin/bash -errorsas -ifaceassert -nilfunc bash --no�� --noprofile -tests /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha get --global 64/pkg/tool/linux_amd64/vet http.https://gitgit (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha .\w*\.result .cfg 64/pkg/tool/linux_amd64/vet ion_mode.go ion_pins.go ion_pins_integra--show-toplevel 64/pkg/tool/linux_amd64/vet ion_�� ion_reference.go ion_reference_test.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/asm ion_resolver_tesgit ion_sha_checker.rev-parse ion_sha_checker_--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha er-docs-review.md y-checker.md 64/pkg/tool/linux_amd64/vet http.https://gitgit (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Contribution Guidelines Check ✅

Hey @Copilot 👋 — great work on the on.steps pre-activation injection feature! This is a well-structured addition that extends the compilation pipeline in a clean, consistent way.

Here's a quick checklist summary:

Check	Result
On-topic	✅ yes
Follows process	✅ yes — implemented by Copilot coding agent, assigned to core team member
Focused	✅ yes — all changes relate to the on.steps feature
New dependencies	✅ none added
Tests included	✅ yes — on_steps_test.go with 320 lines of coverage
PR description	✅ yes — thorough with behavior notes, usage examples, and change summary
Lines changed	508 (+498 / -10)

Verdict: 🟢 Aligned — this PR looks ready for maintainer review.

The implementation touches exactly the right files (compiler_types.go, compiler_pre_activation_job.go, compiler_jobs.go, compiler_orchestrator_workflow.go, frontmatter_extraction_yaml.go, and the JSON schema), the auto-wiring of _result outputs is a nice ergonomic touch, and the test file provides strong integration coverage for all the documented behaviors.

Generated by Contribution Check · ◷

[pelikhan]

@copilot

• convert issue monster
• add support for on.permissions to allow setting up additional permissions

[Copilot]

@copilot

• convert issue monster...

Done in commit 04cab0c (with review fixes in b78b653):

issue-monster.md converted — the search_issues job is now inline as on.steps, saving 1 job. Outputs (has_issues, issue_count, etc.) are re-exposed via jobs.pre-activation.outputs. The agent job condition is now needs.pre_activation.outputs.has_issues == 'true'.

on.permissions added — new on: field that merges additional permission scopes into the pre-activation job. Used by issue-monster.md to grant issues: read and pull-requests: read for the search step:

on:
  issues:
    types: [opened]
  permissions:
    issues: read
  steps:
    - name: Gate check
      id: gate
      uses: actions/github-script@v8
      with:
        script: |
          # GitHub API calls here using issues: read

A self-reference bug was also fixed: if: needs.pre_activation.outputs.* conditions are no longer incorrectly applied to the pre_activation job itself — they're deferred to downstream jobs as intended.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ion_pins.go ion_pins_integra-unreachable=false x_amd64/compile ion_�� ion_reference.go ion_reference_test.go ache/go/1.25.0/x64/bin/bash ion_resolver_tes/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ion_sha_checker.-atomic ion_sha_checker_-bool ion_sha_checker_-buildtags (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw kN/a40qZ6JZGU4ci-atomic (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput2697133019/001/stability-test.md -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git rev-�� --show-toplevel /tmp/go-build1847136444/b422/_testmain.go /usr/bin/git se 2128889/b025/vetrev-parse .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git -C /tmp/gh-aw-test-runs/20260316-145614-22335/test-602215351 rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -aw/git/ref/tags/v2.0.0 config 0/x64/bin/node remote.origin.urgit --log-level $name) { has--show-toplevel 0/x64/bin/node -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_KeyOrdering2537216965/001/test2.md git /opt/pipx_bin/bash --show-toplevel git /usr/bin/git bash --no�� --noprofile git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git 0/x64/bin/node --git-dir git /usr/bin/git git cjs --show-toplevel git /usr/bin/git --show-toplevel x_amd64/compile /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ithub/workflows /tmp/go-build1802128889/b078/vet.cfg x_amd64/compile l piler_pre_activarun ache/node/24.14.list x_amd64/compile -ato�� k/gh-aw/gh-aw/.g--workflow -buildtags 64/pkg/tool/linu--limit l -ifaceassert ed } } 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/infocmp ithub/workflows 2128889/b084/vetrev-parse repository(owne--show-toplevel infocmp -1 xterm-color ache/go/1.25.0/x/tmp/file-tracker-test1143505000/test2.lock.yml /usr/bin/git se 2128889/b242/vetrev-parse x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git aw.test -test.timeout=10rev-parse ortcfg.link git rev-�� --show-toplevel YLl-XuEdjIwzjTczqo/AkAzMrs5CsFYkTest User /usr/bin/git xterm-color x_amd64/compile g_.a git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel -1DSLoRtNKvO ache/node/24.14.0/x64/bin/node e=false (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /repos/github/gh-aw/git/ref/tags/v1.2.3 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-buildtags /usr/bin/git ithub/workflows /tmp/go-build180rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a bash /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rt (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha F6bC3ZBLG .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/ai-moderator.md 64/pkg/tool/linu-f /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile e=false .cfg repository(owne--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile @/tm�� ndor/bin/git resolved$ /usr/bin/git --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel infocmp ache/go/1.25.0/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel grep /usr/bin/git git _out�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linurev-parse ache/node/24.14.0/x64/bin/node e=false (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel docker /usr/bin/git git rev-�� --show-toplevel nl5WspGpArWy ache/node/24.14.0/x64/bin/node --show-toplevel infocmp cal/bin/node ache/node/24.14.0/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel /usr/lib/git-core/git ache/node/24.14.0/x64/bin/node origin REDACTED /usr/bin/git infocmp _out�� xterm-color git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha inspect mcp/memory /usr/bin/infocmp s/issue-monster.git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� runs/20260316-145614-22335/test-test-logs/run-5 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-current git 0/x64/bin/node --git-dir git ache/node/24.14.--show-toplevel git ance�� --show-toplevel ache/node/24.14.0/x64/bin/node 0/x64/bin/node ease.assets[0].igit git /usr/bin/git git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --noprofile les n-dir/bash (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --exclude-standaremote.origin.url --others r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 7136444/b402/logger.test config 7136444/b402/importcfg.link remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git 0/x64/bin/node -1 runs/20260316-145614-22335/test-3157703616 git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha /usr/bin/git ache/node/24.14.0/x64/bin/node 0/x64/bin/node --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --git-dir git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 7136444/b404/_pkg_.a bash 7136444/b404=> --noprofile b/gh-aw/pkg/loggrev-parse x_amd64/vet /usr/bin/gh api Gmd5/Q79soNnba1-7OfK-Gmd5 -f /usr/sbin/bash -f owner=github -f 7136444/b404/importcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 3621197/b401/_pkg_.a git 3621197/b401=> --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� runs/20260316-145614-22335/test-3157703616 git /usr/bin/git l 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /usr/bin/git ache/node/24.14.0/x64/bin/node 0/x64/bin/node uts.tag git /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git /bin/sh test.txt 64/pkg/tool/linurev-parse /usr/bin/git /bin/sh -c git-upload-pack 'origin' git-upload-pack 'origin' /usr/bin/git user.name Test User /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 --always ache/go/1.25.0/x64/pkg/tool/linu-nilfunc (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 node /usr/bin/git image:v1.0.0 64/pkg/tool/linuinit /usr/bin/git git rev-�� HEAD git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 ache/go/1.25.0/x64/pkg/tool/linux_amd64/link /usr/bin/git 7136444/b433/worgit 64/pkg/tool/linurev-parse 7136444/b433/imp--show-toplevel git bran�� agent-persona-explorer.md 9o2bylwtoTATD/_OlyRDkzbCt4AWUYe2dN/WaOxrbbLQaUN4s_TPA7z/uVVs6-d9o2bylwtoTATD /usr/bin/git ry=1 ache/go/1.25.0/xrev-parse che/go-build/e8/--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git /usr/lib/git-core/git-upload-pack -m Test commit /usr/bin/git git-upload-pack orig�� ache/go/1.25.0/x--show-toplevel git 64/pkg/tool/linux_amd64/link user.email test@example.comapi /usr/bin/git 64/pkg/tool/linu--jq (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 /usr/lib/git-core/git /usr/bin/git run --auto /usr/bin/git git merg�� origin/main feature-branch /usr/bin/git --git-dir ache/go/1.25.0/x-1 /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 2128889/b304/vet.cfg 2128889/b168/vet.cfg -p github.com/githurev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x--jq -uns�� -unreachable=false /tmp/go-build1802128889/b040/vet.cfg me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -c=4 -nolocalimports ed } } /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuconfig (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git /usr/bin/git --oneline -1 /usr/bin/git git diff�� --stat ..feature-branch /usr/bin/git --show-toplevel ache/go/1.25.0/x/tmp/fuzz-expr-585734192.js /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 c 0/x64/bin/node - (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git /usr/bin/git (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -t security 64/pkg/tool/linu-f OUTPUT -d 168.63.129.16 64/pkg/tool/linurev-parse --no�� --noprofile .cfg 64/pkg/tool/linux_amd64/vet ACCEPT (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ty-test.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git ithub/workflows/gh config 7136444/b422/sty/repos/actions/github-script/git/ref/tags/v8 git rev-�� --show-toplevel 7136444/b422/styles.test /usr/bin/git t0 x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git /home/REDACTED/wor/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link config 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git ithub/workflows/gh config 7136444/b422/sty/repos/actions/github-script/git/ref/tags/v8 git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ILrzhVffl .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 652977/b001/_pkg_.a .cfg repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 652977/b001/exe/remote.origin.url .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha 652977/b356/_pkg-f .cfg 64/pkg/tool/linu-f (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel infocmp /usr/bin/git xterm-color bash /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.g/tmp/go-build2083621197/b414/styles.test config ache/go/1.25.0/x-test.paniconexit0 git (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha permissions\|# -errorsas (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ithub/workflows (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ithub-script/git/ref/tags/v8 git /usr/bin/git /home/REDACTED/wor/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link config ache/node/24.14./tmp/go-build2083621197/b416/testutil.test git rev-�� --show-toplevel bash /usr/bin/git sistency_GoAndJanode x_amd64/vet /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel ache/go/1.25.0/xrev-parse /opt/hostedtoolc--show-toplevel git rev-�� l && debian-sa1 1 1 node /usr/bin/git /home/REDACTED/worgit M4ghRW5/CVO6ELzirev-parse /usr/bin/infocmp--show-toplevel git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo Activation|TestReferences (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git k/gh-aw/gh-aw/.ggit -f 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 7136444/b388/_pkgit .cfg 7136444/b388=> git (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1847136444/b383/cli.test /tmp/go-build1847136444/b383/cli.test -test.testlogfile=/tmp/go-build1847136444/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -delete (http block)
  • Triggering command: /tmp/go-build2083621197/b001/cli.test /tmp/go-build2083621197/b001/cli.test -test.testlogfile=/tmp/go-build2083621197/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� --show-toplevel infocmp /usr/bin/git QoH9vXcpG bash 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git eutil.test g/sliceutil/slicrev-parse ortcfg.link git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name |if:.*pre_activation lock.yml 64/pkg/tool/linux_amd64/vet w_schema.json'))/usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel /usr/bin/gh /usr/bin/git k/gh-aw/gh-aw/.ggit -f 0/x64/bin/node git otOr�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git SameOutput269713git bash /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot review code changes, update docs in deterministic agent pre filtering

[Copilot]

@copilot review code changes, update docs in deterministic agent pre filtering

Done in commit 7fac097. Updated docs in three places:

• guides/deterministic-agentic-patterns.md: Restructured "Custom Trigger Filtering" — on.steps: is now the primary "Inline Steps — Preferred" subsection (saves 1 job) with examples showing outcome-based filtering and on.permissions: for API calls; the existing multi-job pattern is kept as "For Complex Cases"
• reference/triggers.md: Added new ### Pre-Activation Steps (on.steps:) and ### Pre-Activation Permissions (on.permissions:) sections with full documentation and examples
• reference/frontmatter.md: Added steps: and permissions: to the on: field summary list

[pelikhan]

@copilot make sure you consistently use result or outcome , don't confuse them.

[Copilot]

@copilot make sure you consistently use result or outcome , don't confuse them.

Fixed in commit faa621f. The terminology is now consistent throughout:

• <id>_result — the auto-wired output key name
• steps.<id>.outcome — the GitHub Actions step context field that provides the value (success/failure/cancelled/skipped)

The doc examples were also fixed: the outcome-based examples now use a step that actually exits non-zero on failure (echo "$LABELS" | grep -q '"bug"'), so <id>_result == 'success' is meaningful. The custom-output examples use a separate step that sets an explicit output value and re-exposes it via jobs.pre-activation.outputs.